Key Data Security Checklist for Reviewing Vendor Contracts

May 7, 2024

Contributed by Melissa Krasnow, Partner, VLP Law Group LLP, where she advises clients in the education, financial services, health and life sciences, manufacturing and technology areas on domestic and cross-border privacy, data security, big data, artificial intelligence and governance matters, technology transactions and mergers and acquisitions.

If a company has conducted a preliminary assessment of vendors, or if the company has not conducted such preliminary assessment of vendors or does not have such preliminary assessment process, the following checklist raises key questions as a company reviews the terms of a proposed vendor contract.

[Download our GC Guide to Navigating 2024: Data Privacy and Cybersecurity Risk for analysis of the most pressing data privacy and cybersecurity challenges facing in-house counsel, including navigating new SEC cyber disclosure rules.]

Personal information

  1. How is personal information defined?
    • Does the definition refer to a specific law/regulation, e.g., GDPR, CCPA, CPRA, etc.?
    • Does the definition refer to special categories of personal information, such as sensitive personal information? If so, how are they defined?
    • Does the definition refer to a specific contract or document?
    • Are examples of personal information and/or personal information identifiers specified?
  2. Is there a separate definition for confidential information?
    • How is confidential information defined?
    • Is personal information included in the definition of confidential information?
    • Is personal information to be treated as confidential information?
  3. Are there types of information defined separately from personal information and confidential information?

Applicable law

  1. Are specific laws/regulations incorporated into the contract?
    • If not, should they be?
    • If so, in which context?
  2. Is specific guidance, or are specific industry practices, standards, or frameworks incorporated into the contract?
    • If not, should they be?
    • If so, how are they included and defined?
    • Are they required or recommended as a “best practice”?
  3. Does the contract address potential changes to laws/regulations/guidance, etc.?

Security incident

  1. How is security incident defined?
    • Are unauthorized and/or unlawful uses and/or disclosures addressed? If so, how?
    • Is a suspected security incident included in addition to an actual security incident?
    • Does the definition incorporate language from or refer to the CCPA?
    • Are there specific exceptions to the definition of a security incident?
  2. Does the contract address how, when, and to whom a security incident must be reported?
    • Who is required to report the security incident?
    • Is there a specific contact and contact information for providing and receiving such reporting?
    • Is anyone else permitted to provide or receive the report of the security incident?
    • Which specific information must be reported?
    • How must it be reported?
    • Must it be reported within a specific time frame?
    • Are updates required, and if so, with any particular frequency?
    • Which actions must be taken to prevent, contain, and mitigate security incident?
  3. Is a prompt or immediate investigation required?
  4. Is cooperation regarding the security incident required:
    • between parties?
    • with law enforcement and/or regulators?
    • with incident response personnel (internal and external)?
    • with insurers and insurance brokers?
    • Must a root cause analysis of the security incident be provided?
  5. Are there restrictions regarding disclosure of or publicity regarding a security incident?
  6. Does the contract specify which party is to have control of the investigation and management (including notification) of the security incident?
  7. Does the contract specify which party is responsible for costs relating to the security incident (e.g., legal, forensics, credit monitoring, printing and postage, other remediation, etc.)?
    • Does the contract require mitigation measures and/or actions to prevent recurrence?
    • Does the contract require notification and/or documentation regarding mitigation measures and/or actions to prevent recurrence? If so, to whom and in what format?

Security practices

  1. Does the contract require specific physical, administrative, and technical safeguards?
    • If so, what are these safeguards?
    • Are the safeguards for personal information only?
    • Do they cover confidential information?
    • Do they cover other specified or defined information?
  2. Does the contract require implementation and maintenance of a written information security program (WISP) with specific safeguards?
  3. Does the contract include security requirements specific to the vendor?
  4. Does the contract require policies and procedures to detect and protect against actual or suspected security incidents?
  5. Does the vendor have separate policies and procedures addressing security?
    • If so, what do they cover?
  6. Does the vendor have separate business continuity policies and procedures?
    • If so, what do they address?
  7. Does the contract require due diligence and include other measures regarding the vendor’s employees and/or subcontractors (such as background checks, training, policy and contract requirements, etc.)?
  8. Does the contract specify access control measures?
  9. Does the contract address and define encryption measures?
  10. Does the contract specify restrictions on the use and/or disclosure of personal information, confidential information, and/or other specific or defined information?
  11. Does the contract include specifications regarding personal information, confidential information and/or other specified or defined information relating to:
    • secure transmission?
    • secure storage?
    • secure disposal?
  12. Does the contract address monitoring, testing, and updating of safeguards, program, policies and procedures?
  13. Does the contract permit or require assessments or audits of the security program?
    • What are the assessments or audits?
    • How are they invoked and performed?
    • How frequently?
    • Who performs them?
    • Who pays for them?
  14. Does the contract specify that deficiencies found in the security program must be corrected?
    • If so, how must correction of such deficiencies be communicated and to whom?

[Bloomberg Law subscribers can access the annotated version of this checklist with expert commentary and analysis. Not a subscriber? Request a demo.]

Recommended for you

See Bloomberg Law in action

From live events to in-depth reports, discover singular thought leadership from Bloomberg Law. Our network of expert analysts is always on the case – so you can make yours. Request a demo to see it for yourself.